]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - src/initscripts/system/unbound
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
unbound: Allow forcing to speak TLS to upstream servers only
[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound
CommitLineData
d0e5f71f
ML		 1#!/bin/sh
2# Begin $rc_base/init.d/unbound
3
4# Description : Unbound DNS resolver boot script for IPfire
5# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f
ML		 6
7. /etc/sysconfig/rc
8. ${rc_functions}
9
b29c97b1
AF		 10TEST_DOMAIN="ipfire.org"
11
12# This domain will never validate
13TEST_DOMAIN_FAIL="dnssec-failed.org"
14
7ebc0a16 15INSECURE_ZONES=
b8f5eda8 16USE_FORWARDERS=1
661ab153 17ENABLE_SAFE_SEARCH=off
974d8653 18FORCE_TCP=off
dea5f349 19FORCE_TLS=off
d0e5f71f 20
36792be6
MT		 21# Cache any local zones for 60 seconds
22LOCAL_TTL=60
23
b8f5eda8
MT		 24# Load optional configuration
25[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f 26
974d8653
MT		 27DIG_ARGS=()
28
29if [ "${FORCE_TCP}" = "on" ]; then
30 DIG_ARGS+=( "+tcp" )
31fi
32
f75c279b
AF		 33ip_address_revptr() {
34 local addr=${1}
35
36 local a1 a2 a3 a4
37 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
38
39 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
40}
41
b8f5eda8
MT		 42read_name_servers() {
43 local i
44 for i in 1 2; do
45 echo "$(</var/ipfire/red/dns${i})"
682a6b2d 46 done 2>/dev/null | xargs echo
b8f5eda8
MT		 47}
48
3ec3329d
AF		 49check_red_has_carrier_and_ip() {
50 # Interface configured ?
51 [ ! -e "/var/ipfire/red/iface" ] && return 0;
52
53 # Interface present ?
54 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
55
56 # has carrier ?
57 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
58
59 # has ip ?
60 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
61
62 return 1;
63}
64
b8f5eda8
MT		 65config_header() {
66 echo "# This file is automatically generated and any changes"
67 echo "# will be overwritten. DO NOT EDIT!"
68 echo
69}
70
71update_forwarders() {
3ec3329d
AF		 72 check_red_has_carrier_and_ip
73 if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
b29c97b1
AF		 74 local forwarders
75 local broken_forwarders
76
77 local ns
78 for ns in $(read_name_servers); do
79 test_name_server ${ns} &>/dev/null
80 case "$?" in
81 # Only use DNSSEC-validating or DNSSEC-aware name servers
82 0|2)
83 forwarders="${forwarders} ${ns}"
84 ;;
85 *)
86 broken_forwarders="${broken_forwarders} ${ns}"
87 ;;
88 esac
89 done
90
91 # Show warning for any broken upstream name servers
92 if [ -n "${broken_forwarders}" ]; then
93 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
94 echo_warning
95 fi
b8f5eda8 96
e432689a 97 if [ -n "${forwarders}" ]; then
b29c97b1
AF		 98 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
99 echo_ok
b8f5eda8 100
e432689a
MT		 101 # Make sure DNSSEC is activated
102 enable_dnssec
103
e24d6112 104 echo "${forwarders}" > /var/ipfire/red/dns
b29c97b1
AF		 105 unbound-control -q forward ${forwarders}
106 return 0
e432689a
MT		 107
108 # In case we have found no working forwarders
109 else
110 # Test if the recursor mode is available
372576e0 111 if can_resolve_root; then
e432689a
MT		 112 # Make sure DNSSEC is activated
113 enable_dnssec
114
115 boot_mesg "Falling back to recursor mode" ${WARNING}
116 echo_warning
117
118 # If not, we set DNSSEC in permissive mode and allow using all recursors
119 elif [ -n "${broken_forwarders}" ]; then
120 disable_dnssec
121
122 boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
123 echo_failure
124
125 echo "${broken_forwarders}" > /var/ipfire/red/dns
126 unbound-control -q forward ${broken_forwarders}
127 return 0
128 fi
b29c97b1 129 fi
b8f5eda8 130 fi
b29c97b1
AF		 131
132 # If forwarders cannot be used we run in recursor mode
e24d6112 133 echo "local recursor" > /var/ipfire/red/dns
b29c97b1 134 unbound-control -q forward off
b8f5eda8
MT		 135}
136
3ec3329d
AF		 137remove_forwarders() {
138 enable_dnssec
139 echo "local recursor" > /var/ipfire/red/dns
140 unbound-control -q forward off
141
142}
143
f75c279b
AF		 144own_hostname() {
145 local hostname=$(hostname -f)
0d7ca700 146 # 1.1.1.1 is reserved for unused green, skip this
f75c279b
AF		 147 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
148 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
149 fi
150
151 local address
152 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
153 [ -n "${address}" ] || continue
154 [ "${address}" = "1.1.1.1" ] && continue
155
156 address=$(ip_address_revptr ${address})
157 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
158 done
159}
160
36792be6 161update_hosts() {
6874a576 162 local enabled address hostname domainname generateptr
36792be6 163
6874a576 164 while IFS="," read -r enabled address hostname domainname generateptr; do
36792be6
MT		 165 [ "${enabled}" = "on" ] || continue
166
167 # Build FQDN
168 local fqdn="${hostname}.${domainname}"
169
170 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b 171
868d2a1f
MT		 172 # Skip reverse resolution if the address equals the GREEN address
173 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
174
6874a576
PM		 175 # Skip reverse resolution if user requested not to do so
176 [ "${generateptr}" = "off" ] && continue
177
f75c279b
AF		 178 # Add RDNS
179 address=$(ip_address_revptr ${address})
180 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6
MT		 181 done < /var/ipfire/main/hosts
182}
183
b8f5eda8
MT		 184write_forward_conf() {
185 (
186 config_header
187
dea5f349
MT		 188 # Force using TLS for upstream servers only
189 if [ "${FORCE_TLS}" = "on" ]; then
190 echo "# Force using TLS for upstream servers only"
191 echo "server:"
192 echo " tls-upstream: yes"
193 echo
194
974d8653 195 # Force using TCP for upstream servers only
dea5f349 196 elif [ "${FORCE_TCP}" = "on" ]; then
974d8653
MT		 197 echo "# Force using TCP for upstream servers only"
198 echo "server:"
199 echo " tcp-upstream: yes"
200 echo
201 fi
202
7ebc0a16 203 local insecure_zones="${INSECURE_ZONES}"
a6dcc5bb 204
1ececb67
MT		 205 local enabled zone server servers remark disable_dnssec rest
206 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8
MT		 207 # Line must be enabled.
208 [ "${enabled}" = "on" ] || continue
209
a6dcc5bb
MT		 210 # Zones that end with .local are commonly used for internal
211 # zones and therefore not signed
212 case "${zone}" in
213 *.local)
214 insecure_zones="${insecure_zones} ${zone}"
215 ;;
1ececb67
MT		 216 *)
217 if [ "${disable_dnssec}" = "on" ]; then
218 insecure_zones="${insecure_zones} ${zone}"
219 fi
220 ;;
a6dcc5bb
MT		 221 esac
222
c7e41255
MT		 223 # Reverse-lookup zones must be stubs
224 case "${zone}" in
225 *.in-addr.arpa)
226 echo "stub-zone:"
9f099932 227 echo " name: ${zone}"
c9ae511e 228 for server in ${servers//|/ }; do
f33d2897
MT		 229 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
230 echo " stub-addr: ${server}"
231 else
232 echo " stub-host: ${server}"
233 fi
c9ae511e 234 done
c7e41255
MT		 235 echo
236 echo "server:"
9f099932 237 echo " local-zone: \"${zone}\" transparent"
c7e41255
MT		 238 echo
239 ;;
240 *)
241 echo "forward-zone:"
9f099932 242 echo " name: ${zone}"
c9ae511e 243 for server in ${servers//|/ }; do
f33d2897
MT		 244 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
245 echo " forward-addr: ${server}"
246 else
247 echo " forward-host: ${server}"
248 fi
c9ae511e 249 done
c7e41255
MT		 250 echo
251 ;;
252 esac
b8f5eda8 253 done < /var/ipfire/dnsforward/config
a6dcc5bb
MT		 254
255 if [ -n "${insecure_zones}" ]; then
256 echo "server:"
257
258 for zone in ${insecure_zones}; do
259 echo " domain-insecure: ${zone}"
260 done
261 fi
b8f5eda8
MT		 262 ) > /etc/unbound/forward.conf
263}
264
b658a451
MT		 265write_tuning_conf() {
266 # https://www.unbound.net/documentation/howto_optimise.html
267
268 # Determine number of online processors
269 local processors=$(getconf _NPROCESSORS_ONLN)
270
271 # Determine number of slabs
272 local slabs=1
273 while [ ${slabs} -lt ${processors} ]; do
274 slabs=$(( ${slabs} * 2 ))
275 done
276
277 # Determine amount of system memory
278 local mem=$(get_memory_amount)
279
280 # In the worst case scenario, unbound can use double the
281 # amount of memory allocated to a cache due to malloc overhead
282
4a0d69ca
MT		 283 # Even larger systems with more than 8GB of RAM
284 if [ ${mem} -ge 8192 ]; then
285 mem=1024
286
287 # Extra large systems with more than 4GB of RAM
288 elif [ ${mem} -ge 4096 ]; then
289 mem=512
290
b658a451 291 # Large systems with more than 2GB of RAM
4a0d69ca 292 elif [ ${mem} -ge 2048 ]; then
128db1a3 293 mem=256
b658a451 294
4a0d69ca
MT		 295 # Medium systems with more than 1GB of RAM
296 elif [ ${mem} -ge 1024 ]; then
297 mem=128
298
b658a451
MT		 299 # Small systems with less than 256MB of RAM
300 elif [ ${mem} -le 256 ]; then
128db1a3 301 mem=16
b658a451
MT		 302
303 # Everything else
304 else
128db1a3 305 mem=64
b658a451
MT		 306 fi
307
308 (
309 config_header
310
311 # We run one thread per processor
312 echo "num-threads: ${processors}"
5012e53c 313 echo "so-reuseport: yes"
b658a451
MT		 314
315 # Adjust number of slabs
316 echo "infra-cache-slabs: ${slabs}"
317 echo "key-cache-slabs: ${slabs}"
318 echo "msg-cache-slabs: ${slabs}"
319 echo "rrset-cache-slabs: ${slabs}"
320
321 # Slice up the cache
322 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
323 echo "msg-cache-size: $(( ${mem} / 4 ))m"
324 echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c
MT		 325
326 # Increase parallel queries
327 echo "outgoing-range: 8192"
328 echo "num-queries-per-thread: 4096"
c20b2009
MT		 329
330 # Use larger send/receive buffers
331 echo "so-sndbuf: 4m"
332 echo "so-rcvbuf: 4m"
b658a451
MT		 333 ) > /etc/unbound/tuning.conf
334}
335
336get_memory_amount() {
337 local key val unit
338
339 while read -r key val unit; do
340 case "${key}" in
341 MemTotal:*)
342 # Convert to MB
343 echo "$(( ${val} / 1024 ))"
344 break
345 ;;
346 esac
347 done < /proc/meminfo
348}
b8f5eda8 349
b29c97b1
AF		 350test_name_server() {
351 local ns=${1}
8f3034d0 352 local args
b29c97b1
AF		 353
354 # Return codes:
355 # 0 DNSSEC validating
356 # 1 Error: unreachable, etc.
357 # 2 DNSSEC aware
358 # 3 NOT DNSSEC-aware
359
360 # Exit when the server is not reachable
361 ns_is_online ${ns} || return 1
362
b29c97b1
AF		 363 local errors
364 for rr in DNSKEY DS RRSIG; do
8f3034d0 365 if ! ns_forwards_${rr} ${ns} ${args}; then
b29c97b1
AF		 366 errors="${errors} ${rr}"
367 fi
368 done
369
370 if [ -n "${errors}" ]; then
371 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
372 return 3
373 fi
374
8f3034d0 375 if ns_is_validating ${ns} ${args}; then
2aa15dee
MT		 376 # Return 0 if validating
377 return 0
378 else
379 # Is DNSSEC-aware
380 return 2
381 fi
b29c97b1
AF		 382}
383
384# Sends an A query to the nameserver w/o DNSSEC
385ns_is_online() {
386 local ns=${1}
8f3034d0 387 shift
b29c97b1 388
974d8653 389 dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
b29c97b1
AF		 390}
391
392# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
393ns_is_validating() {
394 local ns=${1}
8f3034d0 395 shift
b29c97b1 396
974d8653 397 if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
438da7e0
PM		 398 return 1
399 else
400 # Determine if NS replies with "ad" data flag if DNSSEC enabled
974d8653 401 dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
438da7e0 402 fi
b29c97b1
AF		 403}
404
405# Checks if we can retrieve the DNSKEY for this domain.
406# dig will print the SOA if nothing was found
407ns_forwards_DNSKEY() {
408 local ns=${1}
8f3034d0 409 shift
b29c97b1 410
974d8653 411 dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF		 412}
413
414ns_forwards_DS() {
415 local ns=${1}
8f3034d0 416 shift
b29c97b1 417
974d8653 418 dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF		 419}
420
421ns_forwards_RRSIG() {
422 local ns=${1}
8f3034d0 423 shift
b29c97b1 424
974d8653 425 dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
b29c97b1
AF		 426}
427
428ns_supports_tcp() {
429 local ns=${1}
8f3034d0
MT		 430 shift
431
974d8653 432 # If TCP is forced we know by now if the server responds to it
cdf373c8 433 if [ "${FORCE_TCP}" = "on" ]; then
974d8653
MT		 434 return 0
435 fi
436
437 dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
8f3034d0
MT		 438}
439
e432689a
MT		 440get_root_nameservers() {
441 while read -r hostname ttl record address; do
442 # Searching for A records
443 [ "${record}" = "A" ] || continue
444
445 echo "${address}"
446 done < /etc/unbound/root.hints
447}
448
449can_resolve_root() {
450 local ns
451 for ns in $(get_root_nameservers); do
974d8653 452 if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
e432689a
MT		 453 return 0
454 fi
455 done
456
457 # none of the servers was reachable
458 return 1
459}
460
461enable_dnssec() {
462 local status=$(unbound-control get_option val-permissive-mode)
463
183b23b5
MT		 464 # Log DNSSEC status
465 echo "on" > /var/ipfire/red/dnssec-status
466
094a27c8
MT		 467 # Don't do anything if DNSSEC is already activated
468 [ "${status}" = "no" ] && return 0
469
e432689a
MT		 470 # Activate DNSSEC and flush cache with any stale and unvalidated data
471 unbound-control -q set_option val-permissive-mode: no
472 unbound-control -q flush_zone .
473}
474
475disable_dnssec() {
183b23b5
MT		 476 # Log DNSSEC status
477 echo "off" > /var/ipfire/red/dnssec-status
478
e432689a
MT		 479 unbound-control -q set_option val-permissive-mode: yes
480}
481
68fac98a
AF		 482fix_time_if_dns_fail() {
483 # If DNS still not work try to init ntp with
484 # hardcoded ntp.ipfire.org (81.3.27.46)
3ec3329d
AF		 485 check_red_has_carrier_and_ip
486 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
68fac98a
AF		 487 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
488 if [ "${?}" != "0" ]; then
3eeff87f 489 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
68fac98a
AF		 490 loadproc /usr/local/bin/settime 81.3.27.46
491 fi
492 fi
493}
494
043e7aa5
MT		 495resolve() {
496 local hostname="${1}"
497
498 local found=0
499 local ns
500 for ns in $(read_name_servers); do
501 local answer
974d8653 502 for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
043e7aa5
MT		 503 found=1
504
505 # Filter out non-IP addresses
506 if [[ ! "${answer}" =~ \.$ ]]; then
507 echo "${answer}"
508 fi
509 done
510
511 # End loop when we have got something
512 [ ${found} -eq 1 ] && break
513 done
514}
515
661ab153 516# Sets up Safe Search for various search engines
d7190078 517update_safe_search() {
661ab153
MT		 518 local google_tlds=(
519 google.ad
520 google.ae
521 google.al
522 google.am
523 google.as
524 google.at
525 google.az
526 google.ba
527 google.be
528 google.bf
529 google.bg
530 google.bi
531 google.bj
532 google.bs
533 google.bt
534 google.by
535 google.ca
536 google.cat
537 google.cd
538 google.cf
539 google.cg
540 google.ch
541 google.ci
542 google.cl
543 google.cm
544 google.cn
545 google.co.ao
546 google.co.bw
547 google.co.ck
548 google.co.cr
549 google.co.id
550 google.co.il
551 google.co.in
552 google.co.jp
553 google.co.ke
554 google.co.kr
555 google.co.ls
556 google.com
557 google.co.ma
558 google.com.af
559 google.com.ag
560 google.com.ai
561 google.com.ar
562 google.com.au
563 google.com.bd
564 google.com.bh
565 google.com.bn
566 google.com.bo
567 google.com.br
568 google.com.bz
569 google.com.co
570 google.com.cu
571 google.com.cy
572 google.com.do
573 google.com.ec
574 google.com.eg
575 google.com.et
576 google.com.fj
577 google.com.gh
578 google.com.gi
579 google.com.gt
580 google.com.hk
581 google.com.jm
582 google.com.kh
583 google.com.kw
584 google.com.lb
585 google.com.ly
586 google.com.mm
587 google.com.mt
588 google.com.mx
589 google.com.my
590 google.com.na
591 google.com.nf
592 google.com.ng
593 google.com.ni
594 google.com.np
595 google.com.om
596 google.com.pa
597 google.com.pe
598 google.com.pg
599 google.com.ph
600 google.com.pk
601 google.com.pr
602 google.com.py
603 google.com.qa
604 google.com.sa
605 google.com.sb
606 google.com.sg
607 google.com.sl
608 google.com.sv
609 google.com.tj
610 google.com.tr
611 google.com.tw
612 google.com.ua
613 google.com.uy
614 google.com.vc
615 google.com.vn
616 google.co.mz
617 google.co.nz
618 google.co.th
619 google.co.tz
620 google.co.ug
621 google.co.uk
622 google.co.uz
623 google.co.ve
624 google.co.vi
625 google.co.za
626 google.co.zm
627 google.co.zw
628 google.cv
629 google.cz
630 google.de
631 google.dj
632 google.dk
633 google.dm
634 google.dz
635 google.ee
636 google.es
637 google.fi
638 google.fm
639 google.fr
640 google.ga
641 google.ge
642 google.gg
643 google.gl
644 google.gm
645 google.gp
646 google.gr
647 google.gy
648 google.hn
649 google.hr
650 google.ht
651 google.hu
652 google.ie
653 google.im
654 google.iq
655 google.is
656 google.it
657 google.je
658 google.jo
659 google.kg
660 google.ki
661 google.kz
662 google.la
663 google.li
664 google.lk
665 google.lt
666 google.lu
667 google.lv
668 google.md
669 google.me
670 google.mg
671 google.mk
672 google.ml
673 google.mn
674 google.ms
675 google.mu
676 google.mv
677 google.mw
678 google.ne
679 google.nl
680 google.no
681 google.nr
682 google.nu
683 google.pl
684 google.pn
685 google.ps
686 google.pt
687 google.ro
688 google.rs
689 google.ru
690 google.rw
691 google.sc
692 google.se
693 google.sh
694 google.si
695 google.sk
696 google.sm
697 google.sn
698 google.so
699 google.sr
700 google.st
701 google.td
702 google.tg
703 google.tk
704 google.tl
705 google.tm
706 google.tn
707 google.to
708 google.tt
709 google.vg
710 google.vu
711 google.ws
712 )
713
d7190078
MT		 714 # Cleanup previous settings
715 unbound-control local_zone_remove "bing.com" >/dev/null
716 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
717 unbound-control local_zone_remove "yandex.com" >/dev/null
718 unbound-control local_zone_remove "yandex.ru" >/dev/null
719 unbound-control local_zone_remove "youtube.com" >/dev/null
661ab153 720
d7190078
MT		 721 local domain
722 for domain in ${google_tlds[@]}; do
723 unbound-control local_zone_remove "${domain}"
724 done >/dev/null
661ab153 725
d7190078
MT		 726 # Nothing to do if safe search is not enabled
727 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
728 return 0
729 fi
661ab153 730
d7190078
MT		 731 # Bing
732 unbound-control bing.com transparent >/dev/null
733 for address in $(resolve "strict.bing.com"); do
734 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
735 done >/dev/null
736
737 # DuckDuckGo
738 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
739 for address in $(resolve "safe.duckduckgo.com"); do
740 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
741 done >/dev/null
742
743 # Google
744 local addresses="$(resolve "forcesafesearch.google.com")"
745 for domain in ${google_tlds[@]}; do
746 unbound-control local_zone "${domain}" transparent >/dev/null
747 for address in ${addresses}; do
748 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
749 done >/dev/null
750 done
661ab153 751
d7190078
MT		 752 # Yandex
753 for domain in yandex.com yandex.ru; do
754 unbound-control local_zone "${domain}" typetransparent >/dev/null
755 for address in $(resolve "familysearch.${domain}"); do
756 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
757 done >/dev/null
758 done
661ab153 759
d7190078
MT		 760 # YouTube
761 unbound-control local_zone youtube.com transparent >/dev/null
762 for address in $(resolve "restrictmoderate.youtube.com"); do
763 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
764 done >/dev/null
f617fd91 765
d7190078 766 return 0
661ab153
MT		 767}
768
d0e5f71f
ML		 769case "$1" in
770 start)
80bc6022
MT		 771 # Print a nicer messagen when unbound is already running
772 if pidofproc -s unbound; then
773 statusproc /usr/sbin/unbound
774 exit 0
775 fi
776
b8f5eda8 777 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f 778
b8f5eda8 779 # Update configuration files
b658a451 780 write_tuning_conf
b8f5eda8
MT		 781 write_forward_conf
782
783 boot_mesg "Starting Unbound DNS Proxy..."
784 loadproc /usr/sbin/unbound || exit $?
785
f75c279b
AF		 786 # Make own hostname resolveable
787 own_hostname
788
b8f5eda8
MT		 789 # Update any known forwarding name servers
790 update_forwarders
36792be6 791
d7190078
MT		 792 # Install Safe Search rules when the system is already online
793 if [ -e "/var/ipfire/red/active" ]; then
794 update_safe_search
795 fi
796
36792be6
MT		 797 # Update hosts
798 update_hosts
05478072 799
68fac98a 800 fix_time_if_dns_fail
b8f5eda8 801 ;;
d0e5f71f
ML		 802
803 stop)
b8f5eda8
MT		 804 boot_mesg "Stopping Unbound DNS Proxy..."
805 killproc /usr/sbin/unbound
806 ;;
d0e5f71f
ML		 807
808 restart)
b8f5eda8
MT		 809 $0 stop
810 sleep 1
811 $0 start
812 ;;
d0e5f71f
ML		 813
814 status)
b8f5eda8 815 statusproc /usr/sbin/unbound
b8f5eda8
MT		 816 ;;
817
818 update-forwarders)
cd812106
MT		 819 # Do not try updating forwarders when unbound is not running
820 if ! pgrep unbound &>/dev/null; then
821 exit 0
822 fi
823
b8f5eda8 824 update_forwarders
68fac98a 825
391e3390
AF		 826 unbound-control flush_negative > /dev/null
827 unbound-control flush_bogus > /dev/null
828
68fac98a 829 fix_time_if_dns_fail
b8f5eda8 830 ;;
d0e5f71f 831
3ec3329d
AF		 832 remove-forwarders)
833 # Do not try updating forwarders when unbound is not running
834 if ! pgrep unbound &>/dev/null; then
835 exit 0
836 fi
837
838 remove_forwarders
839
840 unbound-control flush_negative > /dev/null
841 unbound-control flush_bogus > /dev/null
842 ;;
843
844
b29c97b1
AF		 845 test-name-server)
846 ns=${2}
847
848 test_name_server ${ns}
849 ret=${?}
850
851 case "${ret}" in
852 0)
853 echo "${ns} is validating"
854 ;;
855 2)
856 echo "${ns} is DNSSEC-aware"
857 ;;
858 3)
859 echo "${ns} is NOT DNSSEC-aware"
860 ;;
861 *)
862 echo "Test failed for an unknown reason"
8f3034d0 863 exit ${ret}
b29c97b1
AF		 864 ;;
865 esac
866
867 if ns_supports_tcp ${ns}; then
868 echo "${ns} supports TCP fallback"
869 else
870 echo "${ns} does not support TCP fallback"
871 fi
872
873 exit ${ret}
874 ;;
875
043e7aa5
MT		 876 resolve)
877 resolve "${2}"
878 ;;
879
d7190078
MT		 880 update-safe-search)
881 update_safe_search
882 ;;
883
d0e5f71f 884 *)
d7190078 885 echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
b8f5eda8
MT		 886 exit 1
887 ;;
d0e5f71f
ML		 888esac
889
890# End $rc_base/init.d/unbound
Peter's tree of IPFire 2.x